March 31, 2003 at 10:47 am
I was wondering if anyone has had any experience with developing and implementing any means of locking users out of a SQL Server 2000 db that is part of an application. For example, company x sells and supports an application on a "monthly service fee" licensing model. If the end user pays the monthly service fee in a timely manner then a code is downloaded to their application and the application is available to them for another 30days or so. If the fee is not received, then no authorization code is downloaded to their application and the application -after an arbitrary, predetermined grace period - is locked until the auth code is received.
My concerns with approaching this from the standpoint of placing the auth code validation in a stored procedure in SQL Server is that anyone with admin rights could conceivably circumvent it or disable it completely (and it probably wouldn't be too hard for an experienced DBA to do). A couple of routes come to mind: 1) incorporating a small VB executable that checks for a valid license key or 2) possibly utilizing a cookie on the application server that contains an encrypted key code. I am wondering if anyone has tackled a similar problem in the past and, if so, how did you go about it?
Also, if there is a more appropriate list for this question I would appreciate being steered in that direction as well. Thank you in advance...
Michael
Michael Weiss
Michael Weiss
March 31, 2003 at 4:29 pm
From your text, it sounds like the application and the database are at the client site. If the database was under your control, then you would be the only system administrator and you could control access of specific logons/users through the internal SQL security.
One approach would be to have the application contact your corporate database (via website?) to validate the account. This could be done at start-up or user login.
Alternately, your office could download an encrypted authentication to the various client databases on a monthly basis. For instance, encrypt the current Month/Year and download it. On application start-up/login, the application would run the same encrytion and compare it against the copy downloaded.
I'm sure there are about a kabajillion other ways to do this but those are my ideas off the top ogf my head.
HTH
Steve Hendricks
MCSD, MCDBA
AFS Consulting Group
(949) 588-9800 x15
Steve Hendricks
MCSD, MCDBA
Data Matrix
shendricks@afsconsulting.com
(949) 588-9800 x15
March 31, 2003 at 5:35 pm
Thank you...I like the sounds of both of those ideas and will give them some thought. Yes, you are correct in your assumption that both the UI and the backend db of this app will reside at the client site...it would be nice if the db resided at our office but the volume of data being processed by each customer, and the amounts of data processed by the various analytical queries the application provides would prohibit that I would think.
Thank you again for your suggestions...
Michael
Michael Weiss
Michael Weiss
March 31, 2003 at 5:47 pm
Agree with that - a web service is just about ideal for this type of thing, would let you keep the authentication off site.
Andy
March 31, 2003 at 5:52 pm
Thank you, Andy. The web service approach Steve suggested is sounding better every minute!
Michael Weiss
Michael Weiss
April 3, 2003 at 4:07 am
The way I'm reading this suggests you might want to secure the database to prevent access through other software (e.g. Access, any ODBC/OLEDB consumer) as well?
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply